Saturday, January 29, 2011

pci compliance on IIS 6.0

I have a website that has just failed a PCI Compliance check - The report said that the site supported weak ciphers. I thought I'd already disabled that by turning off SSL 2.0 on the webservers. (It refuses to load a web page if I tell the browser to use only SSL 2.0)

Is there anything else I need to disable or check? (It is a web farm, is there anything on the load balancer I need to look at - Incidentally, the LB should be simply passing the data through, the encryption/decryption is all done on the web servers)

Windows Server 2003, IIS 6.0, ASP.NET 2.0 web site.

--- Update ---

Having gone through the links supplied by GregD, I have resolved most of the issues. I'm still getting the issue that the certificate is not trusted. The SSL Labs website helpfully gives some hints on why that could be (but otherwise isn't very explicit on the subject):

There are many reasons why a certificate may not be trusted:

  • It is used before its activation date (It is in date)
  • It is used after its expiry date (It is in date)
  • Certificate hostname doesn't match the site (host name and site match)
  • It has been revoked (How do I tell?)
  • It is self-signed (It's is by verisign)
  • The issuer is not a well-known certificate authority (Is verisign well known enough?)
  • The certificate chain is incomplete (How do I tell?)

Firefox seems to get on okay with the certificate, putting up a nice green area on the address bar.

  • It goes a little bit beyond just turning off SSL 2.0. You also have to disable weak encryption algorithms by following this MS KB. Your PCI scan should have pointed out what specifically it found.

    You can use a website like, https://www.ssllabs.com/ssldb/index.html for testing your SSL certs.

    Colin Mackay : Thanks for the link to ssllabs - I understand what they wrote better that the PDF that I was emailed.
    From GregD
  • I've seen cases like this were multiple sites are hosted, and one has SSL turned on. Make sure that the common name on the cert resolves to the public IP as well.

    GregD's suggestion is good as well, We've had to go in and modify the allowed ciphers. Your report will probably complain about 1 or 2, but take a look at the other ones, and decide which ones you need. Our report complained about the 56-bit ciphers, so we turned them off. 3 months later they complained about the 60-bit ones...

    Colin Mackay : I've turned off all ciphers less that 128bit so hopefully we won't have that issue. What do you mean by "common name" on the cert? And how do I tell if it resolves to the public IP? (I presume that's the IP the load balancer exposes the site to the world as).
    From BillN
  • On IIS 6 on Windows 2003, simply merge the following into your registry:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
    
    "Enabled"=dword:0000000
    

    Source: http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

0 comments:

Post a Comment